8.
The PDCA Cycle
• Plan (establishing the ISMS)
• Establish the policy, the ISMS objectives, processes and procedures
related to risk management and the improvement of information
security to provide results in line with the global policies and
objectives of the organization.
• Do (implementing and workings of the ISMS)
• Implement and exploit the ISMS policy, controls, processes and
procedures.
• Check (monitoring and review of the ISMS)
• Assess and, if applicable, measure the performances of the
processes against the policy, objectives and practical experience and
report results to management for review.
• Act (update and improvement of the ISMS)
• Undertake corrective and preventive actions, on the basis of the
results of the ISMS internal audit and management review, or other
relevant information to continually improve the said system.

9.
A.5 Security Policy
To provide management direction and support for information
security in accordance with business requirements and relevant
laws and regulations.
•
•
•
•
Approved by Management
Communicated to Employees and relevant external parties
Reviewed at planned intervals
Ensure its continuing suitability, adequacy, and effectiveness.

10.
A.6 Organization of Information Security
To manage information security within the organization.
• Management shall actively support security within
organization.
• Co-ordinated by representatives from different parts of
organization.
• Confidentiality and non-disclosure agreements.
• Appropriate contacts with relevant authorities, security
forums and professional associations shall be maintained.
• Independent reviews should be conducted at planned
intervals or when significant changes to the security
implementation occur.

11.
A.7 Asset Management
Typical policy statements for Asset Management include:
• All assets shall be clearly identified, documented and regularly
updated in an asset register
• All assets shall have designated owners and custodians listed
in the asset register
• All assets will have the respective CIA (Confidentiality, Integrity
and Availability) rating established in the asset register
• All employees shall use company assets according to the
acceptable use of assets procedures
• All assets shall be classified according the asset classification
guideline of the company

14.
A.10 Communications and Operations
Management
Operational procedures and responsibilities
• Documented operating procedures
• Change management
• Segregation of duties
• Separation of development, test and operational facilities
Third Party Service Delivery Management
• Implement security controls, service definition and delivery
levels in agreement.
• Monitoring and review of third party services
• Managing changes to third party services

15.
Company
A company may want to adopt ISO 27001 for the following
reasons:
• It is suitable for protecting critical and sensitive information
• It provides a holistic, risk-based approach to secure
information and compliance
• Demonstrates credibility, trust, satisfaction and confidence
with stakeholders, partners, citizens and customers
• Demonstrates security status according to internationally
accepted criteria
• Creates a market differentiation due to prestige, image and
external goodwill
• If a company is certified once, it is accepted globally.

16.
Asset Classification
• CONFIDENTIAL: This category refers to asset information that
relates to individuals or is otherwise restricted only to
authorized users, and if disclosed outside the company would
harm the organization, its customers, or its partners.
• RESTRICTED: The restricted level of asset information pertains
to highly sensitive information to the company; which when
disclosed would cause substantial damage to the reputation
and competitive position of the company in the market.
• INTERNAL: This classification refers to asset information that is
potentially available to all personnel within the company, but
is not public.
• PUBLIC: This classification refers to asset information that has
been published or obtainable from a published source, e.g.
the Internet.

17.
User Registration
Typical policy statements can include:
• All users shall have a unique user ID based on a standard naming
convention
• A formal authorization process shall be defined and followed for
provisioning of user IDs.
• An audit trail shall be kept of all requests to add, modify or delete
user accounts/IDs
• User accounts shall be reviewed at regular intervals
• Employee shall sign a privilege form acknowledging their access
rights
• Access rights will be revoked for employee changes or leaving jobs
• Privileges shall be allocated to individuals on a ‘need-to-have’ basis.
• A record of all privilege accounts shall be maintained and updated
on regular basis

18.
Password Management
Typical organizational password management policies include:
• Users shall be forced to change their passwords at the time of first
use
• Passwords shall have a minimum length of eight characters
• Passwords for all users shall expire in 30/60 days
• A record of five previous passwords shall be maintained to prevent
re-use of these passwords
• A maximum of three successive login failures shall result in a user’s
account being locked out
• Passwords shall not be displayed in clear text when they are being
keyed in
• Passwords must include at least one small character (a-z), one
capital character (A-Z) and one numeric character (0 – 9) / one
special character (@ # $ & / +)
• All password entry tries shall be logged along with date, time, ip
address, machine name, application and user ID for successful,
unsuccessful login attempts

19.
Clear Work Environment
Example of clear work environment policies include:
• Critical information shall be protected when not required for
use
• Only authorized users shall use the photocopier machines
• All loose documents from employee’s desks shall be
confiscated at the end of business day
• A users desktop shall not contain reference to any document
directly or indirectly

20.
Operating System and
Application Controls
Sample operating system and application control policies include:
• All users in the organization shall have a unique ID
• No systems or application details shall be displayed before log-in
• In the condition of log-in failure, the error message shall not indicate
which part of the credential is incorrect
• The number of unsuccessful log-in attempts shall be limited to 3/5/6
attempts
• During log-in process, all password entries shall be hidden by a
symbol
• The use of system utility program shall be restricted e.g. password
utility
• All operating systems and application shall time out due to inactivity
in 5/10/15/30 minutes
• All applications shall have dedicated administrative menus to control
access rights of users

21.
Network Security
Typical policy statements for Network Security include:
• Appropriate authentication mechanisms shall be used to
control the access by remote users.
• Allocation of network access rights shall be provided as per
the business and security requirements
• Two-factor authentication shall be used for authenticating
users using mobile/remote systems

22.
Benefits
The key benefits of 27001 are:
• It can act as the extension of the current quality system to
include security
• It provides an opportunity to identify and manage risks to key
information and systems assets
• Provides confidence and assurance to trading partners and
clients; acts as a marketing tool
• Allows an independent review and assurance to you on
information security practices

23.
Drawbacks
• It has some things that don’t make sense.
• Some controls define almost the same issues causing
confusion. Like A.9.2.6 (Secure disposal or re-use of
equipment) and A.10.7.2 (Disposal of media)
• Some issues, like relationships with third parties, are scattered
around various clauses of Annex A – you can find it in clause
A.6.2 (External parties), A.8 (Human resources security) and
A.10.2 (Third party service delivery management), and control
A.12.5.5 (Outsourced software development)
• Only 6 controls has the word documented in it. Does that
mean we can implement all others without documentation?

24.
Changes made in ISO 27001:2013
• No. of sections have increased from 11 to 14.
• Management and Leadership re defined as two separate
requirements.
• Section 6: Planning and it’s evaluation
• New chapter added on Performance evaluation